Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 157

In late 2020 the information security profession began a major paradigm shift away from focusing on defense in depth and its association with trust but verify (or verify at initial access, then trust until end of session) as the dominant metaphor. Zero trust as a set of concepts focuses instead on protecting data assets first and foremost. NIST published its SP 800-207 Zero Trust Architecture (ZTA) as a reference and guide in August 2020; a number of vendors have begun providing implementation roadmaps that use this, and in May 2021, the US Defense Information Systems Agency published its zero trust reference architecture. All of these represent snapshots in time of a rapidly evolving set of concepts, ideas, strategies, and tactics.

NIST SP 800-207 describes a ZTA as one that demonstrates the following design tenets:

 Data and computing services are treated as resources to be managed and protected.

 All communications are secured regardless of network (or physical) locations; trust is not implied by where on the network it originates.

 Resource access is granted on a per-session basis, with requestor trustworthiness being evaluated with each access request, and granted with least privileges.

 Dynamic policies based on observable behavior dictate access control decisions.

 Integrity and security posture of all owned and associated assets is measured and monitored by the system's owners and administrators.

 Strict enforcement of authentication and authorization, including on a continuing basis, is required for all access attempts.

 Systems owners and administrators continuously monitor systems, network infrastructures, communications, and asset security posture, and use this information to continually improve security posture.

As an individual person, you are an entity; you then use multiple identities, which are the dataset that an organization or its systems creates and uses to bind to your assertion as an entity of who (or what) it is to the sets of privileges that organization chooses to grant to you. Systems like just in time identity provisioning and identity as a service require us to keep the concepts of entities and identities separate and distinct. Logging into your systems at work involves multiple entities—you, the endpoint device you're using, the applications you're using, each of which are part of fulfilling your purpose for accessing the system. Traditional views of identity management treated entities and human user identities as separate problems; zero trust architectures and systems like user and entity behavioral analytics (UEBA) bring them back closer together.